WKD v05: DNS problem when requesting pubkey

Peter Lebbing peter at digitalbrains.com
Thu Apr 5 13:35:42 CEST 2018


On 05/04/18 12:50, Werner Koch wrote:
> Which also means they can't do proper keyserver lookups.  Or implement
> XMPP or any other protocol with mandatory SRV record.  SRV records are
> in use for more than 18 years:

My guess is all these use cases have so far been covered by helper
routines (or complete clients) running on a server.

Which Bernhard regards as:

On 05/04/18 12:02, Bernhard Reiter wrote:
> [...] using a service degrades the
> security of the request as it gets to be attacked by the service provider.

I'm not convinced this is the case. If the service runs on the same
server as the one hosting the web client, that server can already inject
any code in the web client itself. They could rip out the "secure"
client-side library handling WKD and replace it by a piece of code that
does their bidding. Whether the code runs on the server or is provided
to the client by the same server doesn't impact the trustworthiness of
the code *itself*, only of the environment it runs in. And if the
trustworthiness of the server is compromised, you're lost already.

Is it really that black and white or am I missing a scenario?

The thing that remains is the place of the burden. To lessen the burden
on people who need an SRV record for their service, we're burdening all
implementations with jumping through hoops to obtain the SRV record.
Then again, other specifications have the same drawback: XMPP,
keyservers, off the top of my head I think SIP (VoIP etc.) is another
one. Maybe it's just part of life for a web client developer.

I understand your resistance to complaints about support of what Should
Just Work(TM), which also relates to the place of the burden. Consumers
of DNS should get their act together, this is not bleeding edge tech.
But another fix would be to allow a special host record (A, AAAA or
CNAME) with something like _wkd.example.com. I'm not saying that should
be its form, it's the general idea.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180405/83648164/attachment.sig>


More information about the Gnupg-devel mailing list